- Changed spring-beans.xml config to allow customization of the servi…

…ce base URL path -> Changed the service URL path to /pdp in tests (instead of /services/pdp), and to / in docker folder, using cxf.path and cxf.jaxrs.server.path properties in application.yaml

- Renamed docker-compose.yml to compose.yml in docker folder
- Removed testng suite xml file, using JUnit 5 only instead.
- Enhanced the PDP's JAX-RS resource implementation (JaxrsPdpResource and PdpBundle classes) to support another JSON-based authorization API (e.g. AuthZEN) when application/json mime type is used, in addition to XACML/XML and XACML/JSON (application/xacml+json)
- Upgraded spring-boot-dependencies to 3.1.11, and cxf to 4.0.4
- Added developer and license info to Maven POM
- Fixed unit tests in cxf-spring-boot-server module

cxf-spring-boot-server/Dockerfile

@@ -19,5 +19,5 @@ COPY ${JAR_FILE} /app.jar
 EXPOSE 8080
 EXPOSE 8443
 
-ENV JAVA_OPTS="-Dloader.path=/extensions -Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true -Djavax.xml.accessExternalSchema=all -Xms1024m -Xmx2048m -server"
+ENV JAVA_OPTS="-Dloader.path=/home/spring/extensions -Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true -Djavax.xml.accessExternalSchema=all -Xms1024m -Xmx2048m -server"
 CMD java ${JAVA_OPTS} -jar /app.jar --spring.config.location=classpath:/,file:/conf/application.yml

cxf-spring-boot-server/pom.xml

@@ -22,8 +22,8 @@
 				<groupId>org.springframework.boot</groupId>
 				<artifactId>spring-boot-dependencies</artifactId>
 				<!--<version>${spring-boot.version}</version>-->
-				<!-- Upgrading Spring boot version to fix CVE-2023-6378-->
-				<version>3.1.8</version>
+				<!-- Upgrading Spring boot version to fix CVE-2024-22243,  CVE-2024-22262 -->
+				<version>3.1.11</version>
 				<type>pom</type>
 				<scope>import</scope>
 				<!-- jsonassert depends on com.vaadin.external.google:android-json whose classes conflict with org.json:json; same issue with json-path -->
@@ -49,9 +49,11 @@
 		<dependency>
 			<groupId>org.apache.cxf</groupId>
 			<artifactId>cxf-rt-features-logging</artifactId>
-			<version>${cxf.version}</version>
+			<!--CVE fix: forcing v4.0.4-->
+			<!--<version>${cxf.version}</version> -->
+			<version>4.0.4</version>
 		</dependency>
-		<!-- cxf-spring-boot-starter-jaxrs:3.6.1 depends on spring-boot-starter:2.7.14 depends on snakeyaml:1.30 by default, which is affected by several CVES, fixed only in snakeyaml:2.0 and above
+		<!-- cxf-spring-boot-starter-jaxrs:4.0.4 depends on spring-boot-starter:3.0.13 depends on snakeyaml:1.33 by default, which is affected by several CVES, fixed only in snakeyaml:2.0 and above
 		 So we are forcing snakeyaml:2.0+ version.
 		 -->
 		<dependency>
@@ -62,12 +64,9 @@
 		<dependency>
 			<groupId>org.apache.cxf</groupId>
 			<artifactId>cxf-spring-boot-starter-jaxrs</artifactId>
-			<version>${cxf.version}</version>
-		</dependency>
-		<dependency>
-			<groupId>junit</groupId>
-			<artifactId>junit</artifactId>
-			<scope>test</scope>
+			<!--CVE fix: forcing v4.0.4 -->
+			<!--<version>${cxf.version}</version> -->
+			<version>4.0.4</version>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
@@ -172,24 +171,12 @@
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-surefire-plugin</artifactId>
 				<configuration>
-					<!-- <suiteXmlFiles> -->
-					<!-- Parameters in the XML files seem to be ignored (more info: http://maven.apache.org/surefire/maven-surefire-plugin/examples/testng.html) -->
-					<!-- Using multiple test suites simplifies debugging and prevent some TestNG issues happening when reusing same class/methods over multiple tests in same test suite -->
-					<!-- <suiteXmlFile>src/test/suite.xml</suiteXmlFile> -->
-					<!-- </suiteXmlFiles> -->
 					<skipAfterFailureCount>1</skipAfterFailureCount>
 					<!-- redirectTestOutputToFile: set this to 'true' to redirect the unit test standard output to a file (found in reportsDirectory/testName-output.txt) -->
 					<redirectTestOutputToFile>false</redirectTestOutputToFile>
 					<systemPropertyVariables>
 						<javax.xml.accessExternalSchema>all</javax.xml.accessExternalSchema>
 					</systemPropertyVariables>
-					<properties>
-						<property>
-							<name>surefire.testng.verbose</name>
-							<!-- verbosity level from 0 to 10 (10 is the most detailed), or -1 for debug More info: http://maven.apache.org/surefire/maven-surefire-plugin/examples/testng.html -->
-							<value>2</value>
-						</property>
-					</properties>
 				</configuration>
 			</plugin>
 			<plugin>

cxf-spring-boot-server/src/main/resources/spring-beans.xml

@@ -58,7 +58,7 @@
 		address="/"
 		staticSubresourceResolution="true">
 		<jaxrs:serviceBeans>
-			<bean class="org.ow2.authzforce.rest.pdp.jaxrs.XacmlPdpResource">
+			<bean class="org.ow2.authzforce.rest.pdp.jaxrs.JaxrsPdpResource">
 				<constructor-arg ref="pdpEngineConf" />
 			</bean>
 		</jaxrs:serviceBeans>

cxf-spring-boot-server/src/test/java/org/ow2/authzforce/rest/pdp/cxf/springboot/test/XacmlRestProfileJaxRsTest.java

@@ -18,36 +18,34 @@
  */
 package org.ow2.authzforce.rest.pdp.cxf.springboot.test;
 
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.nio.charset.StandardCharsets;
-import java.util.Collections;
-
 import jakarta.ws.rs.core.Response;
 import jakarta.ws.rs.core.Response.Status;
-
 import org.apache.cxf.jaxrs.client.WebClient;
 import org.json.JSONObject;
-import org.junit.Assert;
-import org.junit.BeforeClass;
-import org.junit.Test;
-import org.junit.runner.RunWith;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
 import org.ow2.authzforce.jaxrs.util.JsonRiJaxrsProvider;
 import org.ow2.authzforce.rest.pdp.cxf.springboot.CxfJaxrsPdpSpringBootApp;
 import org.ow2.authzforce.xacml.json.model.LimitsCheckingJSONObject;
 import org.ow2.authzforce.xacml.json.model.XacmlJsonUtils;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.boot.test.context.SpringBootTest.WebEnvironment;
 import org.springframework.boot.test.web.server.LocalServerPort;
-import org.springframework.test.context.junit4.SpringRunner;
+
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.nio.charset.StandardCharsets;
+import java.util.Collections;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  * Test for CXF/JAX-RS-based REST profile implementation using XACML JSON Profile for payloads
  * 
  */
-@RunWith(SpringRunner.class)
 @SpringBootTest(classes = CxfJaxrsPdpSpringBootApp.class, properties = { "spring.config.location=target/test-classes/server/application.yml",
         "cfg.dir=target/test-classes/server" }, webEnvironment = WebEnvironment.RANDOM_PORT)
 public class XacmlRestProfileJaxRsTest
@@ -61,7 +59,7 @@ public class XacmlRestProfileJaxRsTest
 
 	private static final int MAX_JSON_DEPTH = 10;
 
-	@BeforeClass
+	@BeforeAll
 	public static void setup()
 	{
 		System.setProperty("javax.xml.accessExternalSchema", "http,https,file");
@@ -103,11 +101,11 @@ public void testPdpRequest() throws IOException
 				XacmlJsonUtils.RESPONSE_SCHEMA.validate(expectedResponse);
 
 				// send request
-				final WebClient client = WebClient.create("http://localhost:" + port + "/services", Collections.singletonList(new JsonRiJaxrsProvider()));
+				final WebClient client = WebClient.create("http://localhost:" + port, Collections.singletonList(new JsonRiJaxrsProvider()));
 				final JSONObject actualResponse = client.path("pdp").type("application/xacml+json").accept("application/xacml+json").post(jsonRequest, JSONObject.class);
 
 				// check response
-				Assert.assertTrue(expectedResponse.similar(actualResponse));
+				assertTrue(expectedResponse.similar(actualResponse));
 			}
 		}
 	}
@@ -130,11 +128,11 @@ public void testInvalidPdpRequest() throws IOException
 			 */
 
 			// send request
-			final WebClient client = WebClient.create("http://localhost:" + port + "/services", Collections.singletonList(new JsonRiJaxrsProvider()));
+			final WebClient client = WebClient.create("http://localhost:" + port, Collections.singletonList(new JsonRiJaxrsProvider()));
 			final Response actualResponse = client.path("pdp").type("application/xacml+json").accept("application/xacml+json").post(jsonRequest);
 
 			// check response
-			Assert.assertEquals(Status.BAD_REQUEST.getStatusCode(), actualResponse.getStatus());
+			assertEquals(Status.BAD_REQUEST.getStatusCode(), actualResponse.getStatus());
 		}
 	}
 }

cxf-spring-boot-server/src/test/resources/server/application.yml

@@ -4,7 +4,9 @@
 # Server HTTP port
 #server.port=8080
 # JAX-RS server endpoint address (default is "/")
-#cxf.jaxrs.server.path=/
+# Spring Boot CXF JAX-RS configuration (more info: https://cxf.apache.org/docs/springboot.html )
+cxf.path: /
+cxf.jaxrs.server.path: /pdp
 # Do not use server.address to set service endpoint address as it is already used by Spring Boot
 
 # App configuration directory

cxf-spring-boot-server/src/test/resources/server/spring-beans.xml

@@ -54,11 +54,11 @@
 
 	<!-- <jaxrs:server depends-on="ClientAuthHttpsSettings" address="https://localhost:${testutil.ports.PdpServer}/authzforce-ce"> -->
 	<jaxrs:server
-		id="tazService"
-		address="/"
+		id="xacmlPdp"
+		address="${cxf.jaxrs.server.path}"
 		staticSubresourceResolution="true">
 		<jaxrs:serviceBeans>
-			<bean class="org.ow2.authzforce.rest.pdp.jaxrs.XacmlPdpResource">
+			<bean class="org.ow2.authzforce.rest.pdp.jaxrs.JaxrsPdpResource">
 				<constructor-arg ref="pdpEngineConf" />
 			</bean>
 		</jaxrs:serviceBeans>

docker/docker-compose.yml → docker/compose.yml

@@ -1,11 +1,7 @@
----
-version: '3.4'
-
 services:
 
-  pdp:
-    # depends_on:
-    #  - iam
+  xacml-pdp:
+    # profiles: [xacml]
     image: authzforce/restful-pdp
 
     ports:
@@ -14,11 +10,11 @@ services:
 
     environment:
       # Variable to customize JVM options
-      JAVA_OPTS: "-Dloader.path=/extensions -Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true -Djavax.xml.accessExternalSchema=all -Xms512m -Xmx1024m -server"
+      JAVA_OPTS: "-Dloader.path=/home/spring/extensions -Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true -Djavax.xml.accessExternalSchema=all -Xms512m -Xmx1024m -server -Dspring.profiles.active=default"
 
     volumes:
      # The source path is given as example here. If you want to use AuthzForce PDP extensions, replace it with the path to the folder where you have the extension(s) JAR(s) with all dependencies that are not already part of the Docker image (i.e. that are not already dependencies of Maven artifact 'authzforce-ce-restful-pdp-cxf-spring-boot-server').
-     - ./pdp/extensions:/extensions:ro
+     - ./pdp/extensions:/home/spring/extensions:ro
 
      # Volume used to customize global Spring Boot settings (e.g. disable SSL or modify SSL settings), or change app-specific configuration (e.g. logging in 'logback.xml' file).
      - ./pdp/conf:/conf:ro
@@ -27,3 +23,9 @@ services:
 
     # The custom command below is useful when you need to wait for another service to be fully operational (healthcheck on 'iam' server, port 443, in this case), before running this one 
     # command: sh -c "/wtfc.sh --progress --timeout=120 --interval=10 --status=0 nc -w 5 -vz iam 443 && java $${JAVA_OPTS} -jar /app.jar --spring.config.location=file:/conf/application.yml"
+
+# Other PDP variant
+#  other-pdp:
+#    profiles: [other-profile]
+#    image: authzforce/restful-pdp-profilexxx
+#   ...

docker/pdp/conf/application.yml

@@ -1,10 +1,9 @@
 # Active profile
 # spring.profiles.active: default
 
-# Server HTTP port
-#server.port=8080
-# JAX-RS server endpoint address (default is "/")
-#cxf.jaxrs.server.path=/
+# Spring Boot CXF JAX-RS configuration (more info: https://cxf.apache.org/docs/springboot.html )
+cxf.path: /
+cxf.jaxrs.server.path: /
 # Do not use server.address to set service endpoint address as it is already used by Spring Boot
 
 # App configuration directory

docker/pdp/conf/logback.xml

@@ -50,17 +50,6 @@
 	<!-- </appender> -->
 	<!-- <appender name="accessAsync" class="ch.qos.logback.classic.AsyncAppender"> <appender-ref ref="access" /> </appender> -->
 
-	<!-- Dumping HTTP requests and response with their headers for access logging. More info: http://blog.xebia.fr/2013/10/10/logs-daudit-pour-les-services-rest/ Use "accessAsync" appender for better performance 
-		(asynchronous logging) -->
-	<!-- <logger name="RequestLoggerFilter.request" level="DEBUG" additivity="false"> -->
-	<!-- <appender-ref ref="access"/> -->
-	<!-- </logger> -->
-	<!-- <logger name="RequestLoggerFilter.response" level="DEBUG" additivity="false"> -->
-	<!-- <appender-ref ref="access"/> -->
-	<!-- </logger> -->
-	<!-- <logger name="RequestLoggerFilter.headers" level="INFO" additivity="false"> -->
-	<!-- <appender-ref ref="access"/> -->
-	<!-- </logger> -->
 
 	<logger name="org.ow2.authzforce" additivity="false" level="WARN">
 		<appender-ref ref="CONSOLE" />
@@ -70,7 +59,6 @@
 	<!-- For logging request/response to/from webapp, only logger "org.apache.cxf" in level INFO is required. -->
 	<!-- <logger name="org.apache.cxf" additivity="false" level="INFO"> <appender-ref ref="CONSOLE" /> </logger> -->
 	<!-- <logger name="org.apache.http" additivity="false" level="INFO" /> -->
-	<!-- <logger name="org.apache.http.wire" level="INFO" /> -->
 
 	<logger name="org.springframework" additivity="false" level="INFO">
 		<appender-ref ref="CONSOLE" />